IAM permissions boundary support

aws
cloudformation
iam
security

#1

Does Serverless support an easy way to add an IAM permission boundary to the lambda execution roles? I’d love to be able to specify it in the provider similar to iamRoleStatements or on a per function level. Currently I’m having to create my execution role manually in the Resources and link it to each function do to the fact that I’m required to provide a permission boundary on my roles.


#2

Like you, I would like to be able to add my PermissionBoundary property directly in my iamRoleStatements but, as a temporary workaround, I have simply extended my IAM Role in the Resources section.

resources:
  Resources:
    MyFunctionIamRoleLambdaExecution:
        Properties:
            PermissionsBoundary: !Sub "arn:aws:iam::#{AWS::AccountId}:policy/my_policy_name"

MyFunctionIamRoleLambdaExecution is automatically created by Serverless Framework for my function MyFunction.